Access control list (ACL) overview
Amazon S3 access control lists (ACLs) enable you to manage access to buckets and objects. Eachbucket and object has an ACL attached to it as a subresource. It defines which AWS accounts or groups are granted access and the type of access. When a request is receivedagainst a resource, Amazon S3 checks the corresponding ACL to verify that the requester hasthe necessary access permissions.
S3 Object Ownership is an Amazon S3 bucket-level setting that you can use to both control ownership of the objects that are uploaded to your bucket and to disable or enable ACLs. By default, Object Ownership is set to the Bucket owner enforced setting, and all ACLs are disabled. When ACLs are disabled, the bucket owner owns all the objects in the bucket and manages access to them exclusively by using access-management policies.
A majority of modern use cases in Amazon S3 no longer require the use of ACLs. We recommend that you keep ACLs disabled, except in circumstances where you need to control access for each object individually. With ACLs disabled, you can use policies to control access to all objects in your bucket, regardless of who uploaded the objects to your bucket. For more information, seeControlling ownership of objects and disabling ACLsfor your bucket.
If your general purpose bucket uses the Bucket owner enforced setting for S3 Object Ownership, you must use policies to grant access to your general purpose bucket and the objects in it. With the Bucket owner enforced setting enabled, requests to set access control lists (ACLs) or update ACLs fail and return theAccessControlListNotSupported error code. Requests to read ACLs are still supported.
When you create a bucket or an object, Amazon S3 creates a default ACL that grants the resourceowner full control over the resource. This is shown in the following sample bucket ACL(the default object ACL has the same structure):
<?xml version="1.0" encoding="UTF-8"?><AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Owner> <ID>*** Owner-Canonical-User-ID ***</ID> <DisplayName>owner-display-name</DisplayName> </Owner> <AccessControlList> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Canonical User"> <ID>*** Owner-Canonical-User-ID ***</ID> <DisplayName>display-name</DisplayName> </Grantee> <Permission>FULL_CONTROL</Permission> </Grant> </AccessControlList></AccessControlPolicy>The sample ACL includes anOwner element that identifies the owner by theAWS account's canonical user ID. For instructions on finding your canonical user ID,seeFinding an AWS account canonical userID. TheGrant element identifies the grantee (either an AWS account or apredefined group) and the permission granted. This default ACL has oneGrant element for the owner. You grant permissions by addingGrant elements, with each grant identifying the grantee and thepermission.
An ACL can have up to 100 grants.
Topics
Who is a grantee?
End of support notice: Beginning October 1, 2025, Amazon S3 will discontinue support for creating new Email Grantee Access Control Lists (ACL). Email Grantee ACLs created prior to this date will continue to work and remain accessible through the AWS Management Console, Command Line Interface (CLI), SDKs, and REST API. However, you will no longer be able to create new Email Grantee ACLs.
Between July 15, 2025 and October 1, 2025, you will begin to see an increasing rate ofHTTP 405 errors for requests to Amazon S3 when attempting to create new Email Grantee ACLs.
This change affects the following AWS Regions: US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Ireland), and South America (São Paulo).
A grantee can be an AWS account or one of the predefined Amazon S3 groups. You grantpermission to an AWS account using the email address or the canonical user ID.However, if you provide an email address in your grant request, Amazon S3 finds thecanonical user ID for that account and adds it to the ACL. The resulting ACLs alwayscontain the canonical user ID for the AWS account, not the email address of theAWS account.
When you grant access rights, you specify each grantee as atype="value"type
id– If the value specified is the canonical user ID of an AWS accounturi– If you are granting permissions to a predefined groupemailAddress– If the value specified is the email address of anAWS account
Using email addresses to specify a grantee is only supported in the following AWSRegions:
US East (N. Virginia)
US West (N. California)
US West (Oregon)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Europe (Ireland)
South America (São Paulo)
For a list of all the Amazon S3 supported regions and endpoints, seeRegions and Endpoints in theAmazon Web Services General Reference.
Example: Email address
When you grant other AWS accounts access to your resources, be aware that the AWS accounts can delegate their permissions to users under theiraccounts. This is known ascross-accountaccess. For information about using cross-account access,seeCreating a Role to Delegate Permissions to an IAM Userin theIAM User Guide.
Finding an AWS account canonical userID
The canonical user ID is associated with your AWS account. This ID is a longstring of characters, such as:
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
For information about how to find the canonical user ID for your account, seeFind the canonical user ID for your AWS account in theAWS Account Management Reference Guide.
You can also look up the canonical user ID of an AWS account by reading theACL of a bucket or an object to which the AWS account has access permissions.When an individual AWS account is granted permissions by a grant request, agrant entry is added to the ACL with the account's canonical user ID.
If you make your bucket public (not recommended), any unauthenticated usercan upload objects to the bucket. These anonymous users don't have anAWS account. When an anonymous user uploads an object to your bucket, Amazon S3adds a special canonical user ID(65a011a29cdf8ec533ec3d1ccaae921c) as the object owner inthe ACL. For more information, seeAmazon S3 bucket and object ownership.
Amazon S3 predefinedgroups
Amazon S3 has a set of predefined groups. When granting account access to a group, you specifyone of the Amazon S3 URIs instead of a canonical user ID. Amazon S3 provides the followingpredefined groups:
Authenticated Usersgroup – Represented by
http://acs.amazonaws.com/groups/global/AuthenticatedUsers.This group represents all AWS accounts.Access permission to thisgroup allows any AWS account to access the resource. However, allrequests must be signed (authenticated).
When you grant access to theAuthenticated Usersgroup, any AWS authenticated user in the world canaccess your resource.
All Users group –Represented by
http://acs.amazonaws.com/groups/global/AllUsers.Access permission to this group allows anyone in the world accessto the resource. The requests can be signed(authenticated) or unsigned (anonymous). Unsigned requests omit theAuthentication header in the request.
We highly recommend that you never grant theAll Usersgroup
WRITE,WRITE_ACP, orFULL_CONTROLpermissions. For example, althoughWRITEpermissions deny non-owners the ability tooverwrite or delete existing objects,WRITEpermissionsstill allow anyone to store objects in your bucket, for which youare billed. For more details about these permissions, see thefollowing sectionWhat permissions can I grant?.Log Delivery group– Represented by
http://acs.amazonaws.com/groups/s3/LogDelivery.WRITEpermission on a bucket enables this group to write server access logs(seeLogging requests with server access logging) to thebucket.
When using ACLs, a grantee can be an AWS account or one of the predefined Amazon S3 groups.However, the grantee cannot be an IAM user. For more information about AWSusers and permissions within IAM, seeUsingAWS Identity and Access Management.
What permissions can I grant?
The following table lists the set of permissions that Amazon S3 supports in an ACL. The set ofACL permissions is the same for an object ACL and a bucket ACL. However, dependingon the context (bucket ACL or object ACL), these ACL permissions grant permissionsfor specific buckets or object operations. The table lists the permissions anddescribes what they mean in the context of objects and buckets.
For more information about ACL permissions in the Amazon S3 console, seeConfiguring ACLs.
| Permission | When granted on a bucket | When granted on an object |
|---|---|---|
READ | Allows grantee to list the objects in the bucket | Allows grantee to read the object data and its metadata |
WRITE | Allows grantee to create new objects in the bucket. For the bucket and object ownersof existing objects, also allows deletions and overwrites of thoseobjects | Not applicable |
READ_ACP | Allows grantee to read the bucket ACL | Allows grantee to read the object ACL |
WRITE_ACP | Allows grantee to write the ACL for the applicable bucket | Allows grantee to write the ACL for the applicable object |
FULL_CONTROL | Allows grantee theREAD,WRITE,READ_ACP, andWRITE_ACP permissions on the bucket | Allows grantee theREAD,READ_ACP, andWRITE_ACP permissions on the object |
Use caution when granting access permissions to your S3 buckets and objects. For example,grantingWRITE access to a bucket allows the grantee to createobjects in the bucket. We highly recommend that you read through the entireAccess control list (ACL) overview section beforegranting permissions.
Mapping of ACL permissions and access policypermissions
As shown in the preceding table, an ACL allows only a finite set of permissions, comparedto the number of permissions that you can set in an access policy (seePolicy actions for Amazon S3).Each of these permissions allows one or more Amazon S3 operations.
The following table shows how each ACL permission maps to the corresponding access policypermissions. As you can see, access policy allows more permissions than an ACLdoes. You use ACLs primarily to grant basic read/write permissions, similar tofile system permissions. For more information about when to use an ACL, seeIdentity and Access Management for Amazon S3.
For more information about ACL permissions in the Amazon S3 console, seeConfiguring ACLs.
| ACL permission | Corresponding access policy permissions when the ACLpermission is granted on a bucket | Corresponding access policy permissions when the ACLpermission is granted on an object |
|---|---|---|
READ | s3:ListBucket,s3:ListBucketVersions, ands3:ListBucketMultipartUploads | s3:GetObject ands3:GetObjectVersion |
WRITE |
Bucket owner can create, overwrite, and delete any object in the bucket, and objectowner has In addition, when the grantee is the bucket owner, granting | Not applicable |
READ_ACP | s3:GetBucketAcl | s3:GetObjectAcl ands3:GetObjectVersionAcl |
WRITE_ACP | s3:PutBucketAcl | s3:PutObjectAcl ands3:PutObjectVersionAcl |
FULL_CONTROL | Equivalent to grantingREAD,WRITE,READ_ACP,andWRITE_ACP ACL permissions. Accordingly, thisACL permission maps to a combination of corresponding accesspolicy permissions. | Equivalent to grantingREAD,READ_ACP, andWRITE_ACP ACL permissions. Accordingly, thisACL permission maps to a combination of corresponding accesspolicy permissions. |
Condition keys
When you grant access policy permissions, you can use condition keys to constrain thevalue for the ACL on an object using a bucket policy. The following context keyscorrespond to ACLs. You can use these context keys to mandate the use of aspecific ACL in a request:
s3:x-amz-grant-read‐ Require read access.s3:x-amz-grant-write‐ Require write access.s3:x-amz-grant-read-acp‐ Require read access to the bucket ACL.s3:x-amz-grant-write-acp‐ Require write access to the bucket ACL.s3:x-amz-grant-full-control‐ Require full control.s3:x-amz-acl‐ Require aCanned ACL.
For example policies that involve ACL-specific headers, seeGranting s3:PutObject permission with a condition requiring the bucket owner to get full control. For a complete list ofAmazon S3 specific condition keys, seeActions, resources, and condition keys for Amazon S3 in theService Authorization Reference.
For more information about the permissions to S3 API operations by S3 resource types, seeRequired permissions for Amazon S3 API operations.
aclRequired values for common Amazon S3requests
To identify Amazon S3 requests that required ACLs for authorization, you can use theaclRequired value in Amazon S3 server access logs or AWS CloudTrail. TheaclRequired value that appears in CloudTrail or Amazon S3 server access logsdepends on which operations were called and certain information about the requester,object owner, and bucket owner. If no ACLs were required, or if you are setting thebucket-owner-full-control canned ACL, or if the requests areallowed by your bucket policy, theaclRequired value string is"-" in Amazon S3 server access logs and is absent in CloudTrail.
The following tables list the expectedaclRequired values in CloudTrail orAmazon S3 server access logs for the various Amazon S3 API operations. You can use thisinformation to understand which Amazon S3 operations depend on ACLs for authorization. Inthe following tables, A, B, and C represent the different accounts associated withthe requester, object owner, and bucket owner. Entries with an asterisk (*) indicateany of accounts A, B, or C.
PutObject operations in the following table, unless specifiedotherwise, indicate requests that do not set an ACL, unless the ACL is abucket-owner-full-control ACL. A null value foraclRequired indicates thataclRequired is absentin AWS CloudTrail logs.
The following table shows theaclRequired values for CloudTrail.
| Operation name | Requester | Object owner | Bucket owner | Bucket policy grants access | aclRequired value | Reason |
|---|---|---|---|---|---|---|
GetObject | A | A | A | Yes or No | null | Same-account access |
GetObject | A | B | A | Yes or No | null | Same-account access with bucket owner enforced |
GetObject | A | A | B | Yes | null | Cross-account access granted by bucket policy |
GetObject | A | A | B | No | Yes | Cross-account access relies on ACL |
GetObject | A | A | B | Yes | null | Cross-account access granted by bucket policy |
GetObject | A | B | B | No | Yes | Cross-account access relies on ACL |
GetObject | A | B | C | Yes | null | Cross-account access granted by bucket policy |
GetObject | A | B | C | No | Yes | Cross-account access relies on ACL |
PutObject | A | Not applicable | A | Yes or No | null | Same-account access |
PutObject | A | Not applicable | B | Yes | null | Cross-account access granted by bucket policy |
PutObject | A | Not applicable | B | No | Yes | Cross-account access relies on ACL |
PutObject with an ACL (except forbucket-owner-full-control) | * | Not applicable | * | Yes or No | Yes | Request grants ACL |
ListObjects | A | Not applicable | A | Yes or No | null | Same-account access |
ListObjects | A | Not applicable | B | Yes | null | Cross-account access granted by bucket policy |
ListObjects | A | Not applicable | B | No | Yes | Cross-account access relies on ACL |
DeleteObject | A | Not applicable | A | Yes or No | null | Same-account access |
DeleteObject | A | Not applicable | B | Yes | null | Cross-account access granted by bucket policy |
DeleteObject | A | Not applicable | B | No | Yes | Cross-account access relies on ACL |
PutObjectAcl | * | * | * | Yes or No | Yes | Request grants ACL |
PutBucketAcl | * | Not applicable | * | Yes or No | Yes | Request grants ACL |
REST.PUT.OBJECT operations in the following table, unlessspecified otherwise, indicate requests that do not set an ACL, unless the ACL isabucket-owner-full-control ACL. AnaclRequired valuestring of "-" indicates a null value in Amazon S3 server accesslogs.
The following table shows theaclRequired values for Amazon S3 server access logs.
| Operation name | Requester | Object owner | Bucket owner | Bucket policy grants access | aclRequired value | Reason |
|---|---|---|---|---|---|---|
REST.GET.OBJECT | A | A | A | Yes or No | - | Same-account access |
REST.GET.OBJECT | A | B | A | Yes or No | - | Same-account access with bucket owner enforced |
REST.GET.OBJECT | A | A | B | Yes | - | Cross-account access granted by bucket policy |
REST.GET.OBJECT | A | A | B | No | Yes | Cross-account access relies on ACL |
REST.GET.OBJECT | A | B | B | Yes | - | Cross-account access granted by bucket policy |
REST.GET.OBJECT | A | B | B | No | Yes | Cross-account access relies on ACL |
REST.GET.OBJECT | A | B | C | Yes | - | Cross-account access granted by bucket policy |
REST.GET.OBJECT | A | B | C | No | Yes | Cross-account access relies on ACL |
REST.PUT.OBJECT | A | Not applicable | A | Yes or No | - | Same-account access |
REST.PUT.OBJECT | A | Not applicable | B | Yes | - | Cross-account access granted by bucket policy |
REST.PUT.OBJECT | A | Not applicable | B | No | Yes | Cross-account access relies on ACL |
REST.PUT.OBJECT with an ACL (except forbucket-owner-full-control) | * | Not applicable | * | Yes or No | Yes | Request grants ACL |
REST.GET.BUCKET | A | Not applicable | A | Yes or No | - | Same-account access |
REST.GET.BUCKET | A | Not applicable | B | Yes | - | Cross-account access granted by bucket policy |
REST.GET.BUCKET | A | Not applicable | B | No | Yes | Cross-account access relies on ACL |
REST.DELETE.OBJECT | A | Not applicable | A | Yes or No | - | Same-account access |
REST.DELETE.OBJECT | A | Not applicable | B | Yes | - | Cross-account access granted by bucket policy |
REST.DELETE.OBJECT | A | Not applicable | B | No | Yes | Cross-account access relies on ACL |
REST.PUT.ACL | * | * | * | Yes or No | Yes | Request grants ACL |
Sample ACL
The following sample ACL on a bucket identifies the resource owner and a set ofgrants. The format is the XML representation of an ACL in the Amazon S3 REST API. Thebucket owner hasFULL_CONTROL of the resource. In addition, the ACLshows how permissions are granted on a resource to two AWS accounts, identified bycanonical user ID, and two of the predefined Amazon S3 groups discussed in the precedingsection.
<?xml version="1.0" encoding="UTF-8"?><AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Owner> <ID>Owner-canonical-user-ID</ID> <DisplayName>display-name</DisplayName> </Owner> <AccessControlList> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"> <ID>Owner-canonical-user-ID</ID> <DisplayName>display-name</DisplayName> </Grantee> <Permission>FULL_CONTROL</Permission> </Grant> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"> <ID>user1-canonical-user-ID</ID> <DisplayName>display-name</DisplayName> </Grantee> <Permission>WRITE</Permission> </Grant> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"> <ID>user2-canonical-user-ID</ID> <DisplayName>display-name</DisplayName> </Grantee> <Permission>READ</Permission> </Grant> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group"> <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI> </Grantee> <Permission>READ</Permission> </Grant> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group"> <URI>http://acs.amazonaws.com/groups/s3/LogDelivery</URI> </Grantee> <Permission>WRITE</Permission> </Grant> </AccessControlList></AccessControlPolicy>Canned ACL
Amazon S3 supports a set of predefined grants, known ascanned ACLs. Eachcanned ACL has a predefined set of grantees and permissions. The following tablelists the set of canned ACLs and the associated predefined grants.
| Canned ACL | Applies to | Permissions added to ACL |
|---|---|---|
private | Bucket and object | Owner getsFULL_CONTROL. No one else has accessrights (default). |
public-read | Bucket and object | Owner getsFULL_CONTROL. TheAllUsers group (seeWho is a grantee?) getsREAD access. |
public-read-write | Bucket and object | Owner getsFULL_CONTROL. TheAllUsers group getsREAD andWRITE access. Granting this on a bucket isgenerally not recommended. |
aws-exec-read | Bucket and object | Owner getsFULL_CONTROL. Amazon EC2 getsREAD access toGET an Amazon Machine Image (AMI) bundle from Amazon S3. |
authenticated-read | Bucket and object | Owner getsFULL_CONTROL. TheAuthenticatedUsers group getsREADaccess. |
bucket-owner-read | Object | Object owner getsFULL_CONTROL. Bucket ownergetsREAD access. If you specify this canned ACLwhen creating a bucket, Amazon S3 ignores it. |
bucket-owner-full-control | Object | Both the object owner and the bucket owner getFULL_CONTROL over the object. If you specifythis canned ACL when creating a bucket, Amazon S3 ignores it. |
log-delivery-write | Bucket | TheLogDelivery group getsWRITE andREAD_ACPpermissions on the bucket. For more information about logs, see(Logging requests with server access logging). |
You can specify only one of these canned ACLs in your request.
You specify a canned ACL in your request by using thex-amz-acl requestheader. When Amazon S3 receives a request with a canned ACL in the request, it adds thepredefined grants to the ACL of the resource.
